Nowadays many devices come with chips and are connected to the Internet—the so-called Internet of Things. The smart fridge that alerts you when milk is low or adds it to the shopping list—maybe even orders it from the grocery app! The air conditioner that anticipates when you want the house cooler for a run on the treadmill but turns itself down when you're out at the movies. A baby monitor that tells you when it's time to stock up on teething gel: the little one has been tossing and turning a little too much.
It sounds useful and wondrous. It's quite possible, however, that your Internet-connected baby monitor instead spent last night teaming up with millions of other devices—cameras, printers, routers, speakers, air conditioners, DVRs, and more—to censor journalists; take down music, social media, or movie sites such as Twitter or Netflix; sabotage open-source software projects; knock almost a million German houses off-line; or bring down cell-phone communications in Liberia. With all this extra stealth activity, it's also running up your electricity bill.
Wait ... what? The problem is painfully simple and terribly thorny, and it is as much about globalization, law and liability as it is about technology. Most of our gizmos rely on generic hardware, much of it produced in China, used in consumer products worldwide. To do their work, these devices run software and have user profiles that can be logged into to configure them. Unfortunately, a sizable number of manufacturers have chosen to allow simple and already widely known passwords like “password,” “pass,” “1234,” “admin,” “default” or “guest” to access the device.
In a simple but devastating attack, someone put together a list of 61 such user name/password combinations and wrote a program that scans the Internet for products that use them. Once in, the software promptly installs itself and, in a devious twist, scans the device for other well-known malware and erases it, so that it can be the sole parasite. The malicious program, dubbed Mirai, then chains millions of these vulnerable devices together into a botnet—a network of infected computers. When giant hordes of zombie baby monitors, printers and cameras simultaneously ping their victim, the targeted site becomes overwhelmed and thus inaccessible unless it employs expensive protections.
To make things worse, the authors of Mirai released the source code shortly after their debut censorship attack on the Web site of Brian Krebs, an Internet security investigative journalist. Now even people with rudimentary levels of coding skill can assemble their own giant zombie botnets. There are also “peeping Tom” sites that randomly scan for, and easily find, cameras with these simple, known passwords and stream their feed to the world.
What's the fix? You might have noticed that phones or laptops occasionally need software updates. These introduce new features, but they also often patch bugs and fix software vulnerabilities. Alas, most devices vulnerable to Mirai were also shipped with no feasible or easy way to update or fix them.
I babysat various computer networks to pay for college, and the passwords that Mirai uses would be the same combinations I'd try when faced with a device with an unknown login. That this is still true so many years later points to the actual problem: nobody is minding the store. Indeed, why bother? For manufacturers of chips or devices, there is often little to no downside to shoddy security.
There is no authority with teeth and no clear law outlining liability from harm caused by such blatantly negligent security practices. The original authors of Mirai appear to be U.S. college students who eventually pled guilty after being caught, but that's mostly irrelevant. As long as there are large numbers of devices with the “admin/admin” username/password combination, someone would have done this eventually. The bad news is that there is no real solution to Mirai except waiting for existing vulnerable devices to degrade. The good news is that if a few device makers who shipped “admin/admin” gadgets were forced to pay hefty fines or if parents of a hacked baby monitor could sue manufacturers or sellers, security would probably improve rapidly.
The Internet of Things promised us great wonders, but I'd like them to be less exciting. It's time to make baby monitors boring again—and go back to worrying about the little one's teething rather than his or her security camera joining a zombie botnet and wreaking havoc across the globe.